The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Iranian Hackers Targeting Networking Devices

by Chris Brook on Tuesday August 11, 2020

Contact Us
Free Demo

The FBI warned organizations last week that an Iranian hacking group has been targeting vulnerable networking devices for a month.

The FBI is again advising organizations to fortify their defenses, this time against a group of hackers reportedly working for the Iranian government that have been targeting networking equipment.

According to reports, an FBI notification was sent to organizations in the US private sector last week, warning that hackers were actively attempting to exploit a vulnerability outlined earlier this summer, affecting F5 BIG-IP application delivery controller (ADC) devices used by firms.

The networking services facilitate rate shaping, SSL offloading, and can act as a web application firewall. Initially ADCs were designed to tackle load balancing; now they can mitigate security threats and streamline how data moves through a data center and the cloud.

The devices are popular; on its website, F5 says 48 of the Fortune 50 companies rely on its services.

The vulnerability the FBI is warning about first came to light at the beginning of July, shortly after the company patched a critical remote code-execution flaw in the services, CVE-2020-5902, at the end of June.

It should come as little surprise that attacks targeting the vulnerability been on the rise since that time frame - early July.

The bug, first found and reported to the company by Mikhail Klyuchnikov, a security researcher at Positive Technologies, exists in BIG-IP's management interface, TMUI.

Reports claim the Iranian group is known by codenames Fox Kitten and Parisite.

The FBI claims the group is also behind attacks that have targeted VPN devices and appliances like Pulse Secure (CVE 2019-11510, CVE 2019-11539) and Citrix ADC/Gateway (CVE 2019-19781). Vulnerabilities in those networking devices date back to 2019 and are some of the most exploited vulnerabilities the U.S. government has seen so far in 2020.

The FBI is one of the last government groups to proactively push patching the vulnerability.

The United States Cyber Command insisted admins patch CVE-2020-5902 and the less critical vulnerability CVE-2020-5903 on the spot, on July 3, after F5 pushed out its CVE-2020-5903 patch.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in late July stressing that groups were exploiting CVE-2020-5902, confirming that two organizations were hit.

“Unpatched F5 BIG-IP devices are an attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system,” CISA warned, adding “Note: F5’s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.”

In its advisory, F5 has warned that hackers could execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code and that the vulnerability could result in complete system compromise.

Tags: Vulnerabilities

Recommended Resources

  • An overview of the FFIEC CAT
  • How to use the CAT to identify areas of risk
  • How Digital Guardian helps reduce these risks
  • A compliance timeline for all 18 provisions
  • Financial services case studies
  • How Digital Guardian can help

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.